Serial No. 10/611,460; Filed 6/30/03 
Reply to Office Action 

REMARKS 

Claims 1, 15, and 22 are amended. No claims are added or canceled. Hence, Claims 1- 
30 are pending in this application. The amendments to the claims as indicated herein do not add 
any new matter to this application. Each issue raised in the Office Action mailed June 5, 2008, is 
addressed hereinafter. 

I. ISSUES RELATING TO CLAIM AMENDMENTS 

Support in the Specification for the claim amendments as indicated herein have support in 
the following paragraphs of the Specification: Paragraph [0093] ("When the interfaces of 
firewall router 210 have been configured with the new temporary entries in the ACLs, the result 
is that a logical passageway is opened through the firewall to allow certain types of traffic 
specified in the user profile of User 302 and initiating from Client 306 to pass unobstructed to 
target server 222."); and Paragraph [0091] ("Preferably, the temporary entries in the ACLs are 
not automatically deleted when a user terminates a session ") (Emphases added.) 
H. ISSUES RELATING TO CITED PRIOR ART 

A. Claims 1-9 and 13-19. 22-23. and 25-27 —BAIZE in view of SADOVSKY in 
view of CISCO I/II 

Claims 1-9 and 13-19, 22-23, and 25-27 are rejected under 35 U.S.C. § 103(a) as 
allegedly obvious over U.S. Patent No. 6,317,838, issued to Baize, et al. ("Baize"), in view of 
U.S. Patent No. 5,689,638, issued to Sadovsky, et al. ("Sadovsky"), in further view of 
"Configuring IP Access Lists," by Cisco Systems, Inc. ("Cisco F), in further view of "Release 
Notes for the Cisco 1000 Series Routers for Cisco IOS Release 1 1.3," by Cisco Systems, Inc. 
("Cisco IF). The rejections are respectfully traversed. 
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Cisco I does not qualify as a prior art reference 

35 U.S.C. § 102 requires that publications which a cited as prior art references against a 
patent application be "described in a printed publication . . . before the invention thereof by the 
applicant for patent," or "described in a printed publication . . . more than one year prior to the 
date of the application for patent in the United States." Because the copyright dates, as listed at 
the bottom of Cisco I, indicate the earliest publication date of this particular document as 2007, 
Cisco I does not qualify as a prior art reference against this application. Portions of the 
document might reflect subject matter that was not "described in a printed publication . . . before 
the invention thereof by the applicant for patent," or "described in a printed publication ... more 
than one year prior to the date of the application for patent in the United States," as required by 
35 U.S.C. § 102. Based on the foregoing, Applicants respectfully submit that Cisco / be removed 
as a reference against this application. Additionally, Applications respectfully submit that any 
arguments herein against Cisco I does not constitute an admission that the subject matter 
disclosed in Cisco I qualifies as prior art against the present application. 

The Office Action cites Cisco II to show the existence of reflexive ACLs as early as 
3/2/98. However, Cisco II only lists "Reflexive Access Lists" in Table 4. Thus, Cisco II is 
effective only as to the scope included in Cisco II, namely, the listing of "Reflexive Access Lists" 
in Table 4, and cannot be "stretched" to incorporate the scope of any document that was not cited 
within Cisco II. Thus, Cisco II cannot be used to incorporate the scope of Cisco I, and cannot be 
used to qualify Cisco I as a prior art reference against instant application. 
Welcher should be removed as a prior art reference 

Because the Office Action concedes that Applicants have successfully overcome the date 
of Welcher as a reference, Welcher should be removed as a reference, and no longer used in any 
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rejection against the claims. Even though the Office Action states that Applicants, by the 37 
CFR 1.131 declaration submitted in the previous response to Office Action, have successfully 
overcome the date of the Welcher reference of 5/5/99, the Office Action continues to use the 
cited prior art against the claims of the instant application. As stated above, 35 U.S.C. § 102 
requires that publications which a cited as prior art references against a patent application be 
"described in a printed publication . . . before the invention thereof by the applicant for patent," or 
"described in a printed publication . . . more than one year prior to the date of the application for 
patent in the United States." Portions of Welcher might reflect subject matter that was not 
"described in a printed publication . . . before the invention thereof by the applicant for patent," or 
"described in a printed publication . . . more than one year prior to the date of the application for 
patent in the United States," as required by 35 U.S.C. § 102. Additionally, similar to Cisco I, 
Cisco II cannot be used to incorporate the scope of Welcher, and cannot be used to qualify 
Welcher as a prior art reference against instant application. 

Based on the foregoing, Applicants respectfully submit that Welcher be removed as a 
reference against this application. 

Claim 1 is patentable over any combination of cited art 
Claim 1 recites: 



means for reconfiguring the network firewall routing device to 

permit the client to communicate with the network resource 
only when the client is authorized to communicate with the 
network resource based on the authorization 
information, wherein the means for reconfiguring the 
network firewall routing device opens a logical passageway 
for network traffic from the client, wherein the logical 
passageway does not automatically close when a user 
terminates a session, wherein the means for reconfiguring 
the network firewall routing device further comprises: 
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means for determining a current IP address of the client; 

means for creating a new user profile information, based on 
the user profile information, that includes the 
current IP address; and 

means for adding the new user profile information as 

temporary entries to the Input Access Control List at 
the external interface and to the Output Access 
Control List at the internal interface. 

(emphases and labels added). In applying references against a claim, "[t]he identical invention 

must be shown in as complete detail as is contained in the ... claim." Richardson v. Suzuki Motor 

Co., 868 F.2d 1226, 1236, 9 USPQ2d 1913, 1920 (Fed. Cir. 1989). The elements must be 

arranged as required by the claim. In re Bond, 910 F.2d 831, 15 USPQ2d 1566 (Fed. Cir. 1990). 

(See also MPEP § 2131.) 

No combination of the references shows the claimed invention in "complete detail as is 

contained in the . . . claim." In particular, no combination of the references show all the features 

of "means for reconfiguring the network firewall routing device" arranged as required by the 

claim. 

"[M]eans for reconfiguring the network element firewall routing device," as recited in 
Claim 1, satisfies specific conditions, specifically, the condition of "only when the client is 
authorized to communicate with the network resource based on the authorization 
information." Thus, all the features of the "means for reconfiguring the network element 
firewall routing device" also require the condition of "only when the client is authorized to 
communicate with the network resource based on the authorization information," as recited in 
Claim 1. The "means for reconfiguring" is therefore inseparable from the condition of "only 
when the client is authorized to communicate with the network resource based on the 
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authorization information," and any reference used to teach such "means for reconfiguring" 
must also teach the means satisfying such a specific condition. 

Baize does not teach or disclose "means for reconfiguring the network element firewall 
routing device to permit the client to communicate with the network resource," wherein such 
means for reconfiguring necessarily "opens a logical passageway for network traffic from the 
client, wherein the logical passageway does not automatically close when a user terminates a 
session," Instead, in complete contrast to Claim 1, Baize discloses allowing such communication 
"only as long as the same session remains opened." (Baize, Col. 7, lines 17-18.) Because 
Baize does not teach such means to reconfigure, it logically follows that Baize cannot teach such 
means satisfying any specific condition. 

Furthermore, Baize does not teach or disclose such "means for reconfiguring" comprising 
"means for determining a current IP address of the client;/means for creating a new user profile 
information, based on the user profile information, that includes the current IP address; 
and/means for adding the new user profile information as temporary entries to the Input Access 
Control List at the external interface and to the Output Access Control List at the internal 
interface." In contrast to the "means for configuration," as recited in Claim 1, in response to a 
subsequent request to communicate, Baize instead configures the firewall to request 
authentication from the authentication server anew, and to apply "application rules according to 
the operational profile of the user Ux." Again, because Baize does not teach such means to 
reconfigure, it logically follows that Baize cannot teach such means satisfying any specific 
condition. 

The Office Action relies on Cisco ////to teach such feature of "means for reconfiguring." 
However, Cisco I/II are deficient because while Cisco I/II disclose reflexive ACLs, Cisco I/II do 
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not teach any usage of reflexive ACLs that satisfy the condition of "only when the client is 
authorized to communicate with the network resource based on the authorization 
information," as required by Claim 1. Instead, Cisco I/II disclose only a limited usage of 
reflexive ACLs that is distinct from the features recited in Claim 1, namely "reflexive ACLs . . . 
are generally used to allow outbound traffic and to limit inbound traffic in response to sessions 
that originate inside the router," (Cisco I, page 15; emphases added.) Therefore, Cisco I/II do 
not teach using reflexive ACLs based on any authorization to communication based on Claim 
l's "authorization information." In contrast to Claim 1, the only authorization information 
that Cisco I teaches is the information that a session originated inside the router, which is 
distinct from Claim l's "authorization information." Because Cisco I does not disclose usage of 
reflexive ACLs that satisfy the specific condition as required in Claim 1, is it respectfully 
submitted that Cisco I/II fails to "fill the gaps" left behind by Baize. 

Sadovsky does not "fill the gaps" left behind by Baize or Cisco I/II because Sadovsky does 
not teach "means for determining a current IP address of the client;/means for creating a new user 
profile information, based on the user profile information, that includes the current IP address; 
and/means for adding the new user profile information as temporary entries to the Input Access 
Control List at the external interface and to the Output Access Control List at the internal 
interface" that satisfy the condition of "only when the client is authorized to communicate with 
the network resource based on the authorization information." Instead, Sadovsky merely teaches 
maintaining a cache of usernames and passwords at a central server. It does not teach any user 
profile information, or any client authentication information that indicates any access privileges 
the client has with respect to the resource, as recited in Claim 1. It does not teach creating any 
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new user information data that includes any current IP addresses. Therefore, Sadovsky does not 
"fill the gaps" that Baize and Cisco I leave with respect to Claim 1. 
No motivation So combine Baize and Cisco I 

Furthermore, there is no motivation to combine Baize and Cisco I by modifying the 
teachings of Baize with Cisco I. "If proposed modification would render the prior art invention 
being modified unsatisfactory for its intended purpose, then there is no suggestion or motivation 
to make the proposed modification. In re Gordon, 733 F.2d 900, 221 USPQ 1125 (Fed. Cir. 
1984)" (MPEP 2143.01). The system of Baize would be rendered unsatisfactory for its intended 
purpose if modified with the features described in Cisco I. Baize clearly states that Baize is 
intended, for security purposes or otherwise, to re-send a request for reauthentication from the 
server Ss for "any subsequent request" for access to a server or resource by a client. (Col. 7, lines 
3-14.) In Baize, user operational profiles are downloaded, and used with application rules 50. 
However, no portion of Baize teaches any modification of Baize's IP filtering rules 20. Thus, 
any proposed modification of such IP filtering rules 20, such as adding reflexive ACLs as 
described in Cisco I, which allow access without requiring reauthentication from server Ss, 
would render Baize unsatisfactory for its intended purpose. Therefore, there is no suggestion or 
motivation to make the modification of adding the reflexive ACLs as described in Cisco I to 
Baize. 

Based on the foregoing, Applicants respectfully submit that no combination of references, 
whether properly or improperly combined, cited against Claim 1 show the arrangement of 
features in as "complete detail as is contained in the . . . claim." It is respectfully submitted that 
Claim 1 is patentable over Baize, in view of Sadovsky, in view of Cisco VII. 
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Independent Claim 15 and 22 include features similar to Claim 1. It is therefore 
respectfully submitted that Claims 15 and 22 are patentable over Baize, in view of Sadovsky, in 
view of Cisco I/II, for at least the reasons given above with respect to Claims 15 and 22. 

Claims 2-9, 13-14, 16-19, 23, and 25-27 are dependent claims, each of which depends 
(directly or indirectly) on Claims 1, 15, and 22. In addition, each of Claims 2-9, 13-14, 16-19, 
23, and 25-27 introduces one or more additional features that independently render it patentable. 
Due to the fundamental differences already identified, to expedite the positive resolution of this 
case, a separate discussion of the features of Claims 2-9, 13-14, 16-19, 23, and 25-27 is not 
included at this time. The Applicant reserves the right to further point out the differences 
between the cited art and the novel features recited in the dependent claims. 

B. CLAIM 12 —BAIZE in view of SADOVSKY in view of CISCO I/II. in further view 
ofCOSS 

Claim 12 were rejected under 35 U.S.C. § 103(a) as allegedly unpatentable over Baize, in 
view of Sadovsky, in view of Cisco I/II, in further view of U.S. Patent No. 6,170,012 issued to 
Coss et al. The rejections are respectfully traversed. 

Claim 12 is a dependent claim, which depends (directly or indirectly) on Claim 1. The 
Office action relies on Coss for teaching the limitations within those dependent claims. 
However, Coss does not "fill the gaps" that Baize and Sadovsky leave with respect to 
independent Claim 1. Any combination of Baize, Sadovsky, Cisco I/II and Coss fails to provide 
the complete claimed subject matter of Claim 1. Due to the fundamental differences already 
identified, to expedite the positive resolution of this case, a separate discussion of the features of 
Claim 12 is not included at this time. In addition, Claim 12 introduces one or more additional 
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features that independently render it patentable. The Applicant reserves the right to further point 
out the differences between the cited art and the novel features recited in the dependent claims. 

C. CLAIMS 10-11. 20-21, 24, and 28-30 —BAIZE in view ofSADOVSKY in view 
of CISCO I/II, in further view ofKLASSEN 

Claim 12 were rejected under 35 U.S.C. § 103(a) as allegedly unpatentable over Baize, in 
view of Sadovsky, in view of Cisco I/II, in further view of U.S. Patent No. 6,170,012 issued to 
Klassen et al. The rejections are respectfully traversed. 

Claims 10-11, 20-21, 24, and 28-30 are dependent claims, each of which depends 
(directly or indirectly) on Claims 1,15, or 22. The Office action relies on Klassen for teaching 
the limitations within those dependent claims. However, Klassen does not "fill the gaps" that 
Baize, Sadovsky and Cisco I/II leave with respect to independent Claims 1, 15, or 22. Any 
combination of Baize, Sadovsky, Cisco I/II, and Klassen fails to provide the complete claimed 
subject matter of Claims 1, 15, or 22. Due to the fundamental differences already identified, to 
expedite the positive resolution of this case, a separate discussion of the features of Claims 10- 
11, 20-21, 24, and 28-30 is not included at this time. In addition, each of Claims 10-11, 20-21, 
24, and 28-30 introduces one or more additional features that independently render it patentable. 
The Applicant reserves the right to further point out the differences between the cited art and the 
novel features recited in the dependent claims. 

In view of the proper withdrawal of all rejections based on Welcher, and Cisco I because 
neither are not citable as prior art against the application, or alternatively, in view of the 
arguments presented that traverse the rejections based on the cited art, it is respectfully asserted 
that the claims are now in condition for allowance. 
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CONCLUSION 

For the reasons set forth above, it is respectfully submitted that all of the pending claims 
are now in condition for allowance. Therefore, the issuance of a formal Notice of Allowance is 
believed next in order, and that action is most earnestly solicited. 

The Examiner is respectfully requested to contact the undersigned by telephone if it is 
believed that such contact would further the examination of the present application. 

Respectfully submitted, 

HICKMAN PALERMO TRUONG & BECKER LLP 



Dated: September 5, 2008 /RhysWCheung#58648/ 

Rhys W. Cheung 
Reg. No. 58,648 

2055 Gateway Place, Suite 550 
San Jose, CA 95110-1089 
Telephone: (408) 754-1450 
Fax: (408)414-1076 
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